I've gone security bananas - just ordered a Yubikey 5NFC..

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
rebellovw
Posts: 988
Joined: Tue Aug 16, 2016 4:30 pm

I've gone security bananas - just ordered a Yubikey 5NFC..

Post by rebellovw »

Just about a month ago - I was completely lax in regards to security - I had password stickies on my home PC, credit cards sitting in a pen holder, checkbooks out in the open, no screen locks on my PC and Mac, poor simple passwords.

Anyhow - I've gone over the top - it started with LastPass - then 2FA on everything, then fun with drive encryption which was extremely painful (bricked my PC using bitlocker and lost a drive using veracrypt and messed up my Mac timemachine backup trying to encrypt my Synology NAS drives...

Now I've ordered the Yubikey

Let the fun begin... I just hope I can use it everywhere that I need it.

Thanks for any tips from key experts.
c

Edit: Before being asked - my PC is finally locked down the way I want it - screen lock - strong password, RAID 1 + hot spare, veracrypt of all drives - password required on boot. Macbook - drive encryption with FileVault - and screen lock very fast - strong password. Backup Synology NAS is a bit of a pain that I'm still working through...
occambogle
Posts: 808
Joined: Thu Dec 12, 2019 4:58 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by occambogle »

I use 1Password for Mac for passwords and Filevault for drive encryption (which has been flawless over many years) but until recently had avoided much 2FA Authenticator stuff due to additional hassle. Now I use Authy for all sites that support 2FA. I like it because your 2FA records are synced to their servers so if you lose your mobile or have to replace it you don't get locked out from your sites.

Regarding Yubikey I've been looking into this a fair bit... and it seems good... but I just don't find the majority of the sites I really want security for (banking, financial, my website and email) actually support it.
L82GAME
Posts: 554
Joined: Sat Dec 07, 2019 9:29 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by L82GAME »

I use a Yubikey NFC for logging onto my PC, for VG access, and with Yubico’s auth app whereby the secret key for six digit auth code resides on the key instead of on one’s phone.
"Still I am learning." - Michelangelo
6U7a9Zfym64CRBB8gY3v
Posts: 15
Joined: Wed Oct 23, 2019 12:46 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by 6U7a9Zfym64CRBB8gY3v »

occambogle wrote: Wed Mar 17, 2021 4:54 am I use 1Password for Mac for passwords and Filevault for drive encryption (which has been flawless over many years) but until recently had avoided much 2FA Authenticator stuff due to additional hassle. Now I use Authy for all sites that support 2FA. I like it because your 2FA records are synced to their servers so if you lose your mobile or have to replace it you don't get locked out
1Password has built in 2FA/authenticator support. No need to use a second app if you use 1Pass
occambogle
Posts: 808
Joined: Thu Dec 12, 2019 4:58 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by occambogle »

6U7a9Zfym64CRBB8gY3v wrote: Wed Mar 17, 2021 6:48 am 1Password has built in 2FA/authenticator support. No need to use a second app if you use 1Pass
I'm still using the standalone 6.8 version which doesn't require subscription fees, but also doesn't have 2FA support. Also, I see some small advantage in spreading passwords + 2FA across 2 apps, rather than putting all the eggs in one basket.
Topic Author
rebellovw
Posts: 988
Joined: Tue Aug 16, 2016 4:30 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by rebellovw »

occambogle wrote: Wed Mar 17, 2021 4:54 am I use 1Password for Mac for passwords and Filevault for drive encryption (which has been flawless over many years) but until recently had avoided much 2FA Authenticator stuff due to additional hassle. Now I use Authy for all sites that support 2FA. I like it because your 2FA records are synced to their servers so if you lose your mobile or have to replace it you don't get locked out from your sites.

Regarding Yubikey I've been looking into this a fair bit... and it seems good... but I just don't find the majority of the sites I really want security for (banking, financial, my website and email) actually support it.
Thanks - I've found the same thing as well. I do know both my emails support it so at the moment I'm more concerned with locking down my email - forgot password business - so I'm looking for a combo yubikey/google voice type solution.

I'll try it out - I can return it up to 30 days.

That has been the problem with this security stuff - someone has a great idea - but the actual implementation you find lacking - places don't accept it - or it has a hidden extra feature that you don't agree with (drive encryption, NAS encryption come to mind...)
Topic Author
rebellovw
Posts: 988
Joined: Tue Aug 16, 2016 4:30 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by rebellovw »

L82GAME wrote: Wed Mar 17, 2021 5:40 am I use a Yubikey NFC for logging onto my PC, for VG access, and with Yubico’s auth app whereby the secret key for six digit auth code resides on the key instead of on one’s phone.
Cool - great to know. Thanks. So far I should be able to lock down both emails and Lastpass with it - that should be a good start.
User avatar
AAA
Posts: 1520
Joined: Sat Jan 12, 2008 8:56 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by AAA »

occambogle wrote: Wed Mar 17, 2021 4:54 am I use 1Password for Mac for passwords and Filevault for drive encryption (which has been flawless over many years) but until recently had avoided much 2FA Authenticator stuff due to additional hassle. Now I use Authy for all sites that support 2FA. I like it because your 2FA records are synced to their servers so if you lose your mobile or have to replace it you don't get locked out from your sites.
Couple of questions:

How would you compare 1Password to Apple’s Keychain which is built-in to Mac OS?

Can you elaborate on your last sentence?
occambogle
Posts: 808
Joined: Thu Dec 12, 2019 4:58 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by occambogle »

AAA wrote: Wed Mar 17, 2021 9:05 am How would you compare 1Password to Apple’s Keychain which is built-in to Mac OS?
Apple Keychain is OK for basic passwords and I do use it for sites where I don't care about the security that much because it's quick and easy, but I use 1Password to store all sorts of information like bank account details, memberships cards, even detailed info like bank transfer routing details for banks etc. As well as notes containing lots of different stuff that isn't necessarily a website login.
AAA wrote: Wed Mar 17, 2021 9:05 am Can you elaborate on your last sentence?
Well say you have a 2FA authenticator app set up on your phone that doesn't have any kind of backup, if you lose your phone etc you'll be locked out of that website account. Some sites have "recovery codes" you can safely store to use in this situation, but not all sites do.

With Authy you can (a) have it installed on another phone, or laptop, and all your 2FA logins sync between them so if you lose your phone you can just use your other phone or laptop to immediately login. And (b) if you have multi-devices authorised you can log in on your new replacement phone and use the other device to authorize it. E.g. I have it installed on my phone and 2 computers, so if my phone gets lost I can still immediately use all my 2FA logins from laptop. And can then use laptop to authorize the 2FA accounts to be synced to the new phone. Some more info here:

https://support.authy.com/hc/en-us/arti ... lti-Device
https://support.authy.com/hc/en-us/arti ... ible-Phone
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by Lynette »

occambogle wrote: Wed Mar 17, 2021 9:36 am
AAA wrote: Wed Mar 17, 2021 9:05 am How would you compare 1Password to Apple’s Keychain which is built-in to Mac OS?
Apple Keychain is OK for basic passwords and I do use it for sites where I don't care about the security that much because it's quick and easy, but I use 1Password to store all sorts of information like bank account details, memberships cards, even detailed info like bank transfer routing details for banks etc. As well as notes containing lots of different stuff that isn't necessarily a website login.
AAA wrote: Wed Mar 17, 2021 9:05 am Can you elaborate on your last sentence?
Well say you have a 2FA authenticator app set up on your phone that doesn't have any kind of backup, if you lose your phone etc you'll be locked out of that website account. Some sites have "recovery codes" you can safely store to use in this situation, but not all sites do.

With Authy you can (a) have it installed on another phone, or laptop, and all your 2FA logins sync between them so if you lose your phone you can just use your other phone or laptop to immediately login. And (b) if you have multi-devices authorised you can log in on your new replacement phone and use the other device to authorize it. E.g. I have it installed on my phone and 2 computers, so if my phone gets lost I can still immediately use all my 2FA logins from laptop. And can then use laptop to authorize the 2FA accounts to be synced to the new phone. Some more info here:

https://support.authy.com/hc/en-us/arti ... lti-Device
https://support.authy.com/hc/en-us/arti ... ible-Phone
Thank you. I did not know you could use authy on your laptop. I installed it on my phone. I also have two Yubikeys arriving soon as well as another dedicated Chromebook for Finance only. It is amazing what a data breach on one of my websites and the cyber attacks that followed has done to make me upgrade my security! I also am using 1Password now. It has made me realize just how good Googles security (not privacy) is. Another advantage of using 1Password has made me realize how companies have been consolidating their websites. In many instances I only need one account to sign into all of their services.

Again a big thanks to all of the knowledgeable people on Bogleheads who have shared their expertise with us.
Topic Author
rebellovw
Posts: 988
Joined: Tue Aug 16, 2016 4:30 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by rebellovw »

with Yubikey AND say Last Pass or 1password, bitwarden etc - you shouldn't need a 3rd Authy application. I certainly don't want another.

Thanks.
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by Lynette »

rebellovw wrote: Wed Mar 17, 2021 10:09 am with Yubikey AND say Last Pass or 1password, bitwarden etc - you shouldn't need a 3rd Authy application. I certainly don't want another.

Thanks.
I am just testing them. An issue seems to be that many sites do not support Yubikey.
Topic Author
rebellovw
Posts: 988
Joined: Tue Aug 16, 2016 4:30 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by rebellovw »

Lynette wrote: Wed Mar 17, 2021 10:24 am
rebellovw wrote: Wed Mar 17, 2021 10:09 am with Yubikey AND say Last Pass or 1password, bitwarden etc - you shouldn't need a 3rd Authy application. I certainly don't want another.

Thanks.
I am just testing them. An issue seems to be that many sites do not support Yubikey.
Yep - me too - haven't received it yet.

I think the most important things to secure would be your email, Google Voice (most support it - both of mine do) and your password manager. These hold the keys and 2FA for everything. That is what I'm going to initially start with.

I also need 2 more keys according to Yubikey - but I'll evaluate the single key for now and see if it will work for me - then off to ordering/creating a backup key.
User avatar
TxFrog
Posts: 18
Joined: Mon Mar 01, 2021 8:45 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by TxFrog »

Does anyone here use a Yubikey as 2FA for their password manager, but not as a 2FA for logging into websites? For example, use a password manager where you need your passphrase + Yubikey to access your password database.

I was considering buying a Yubikey. However, if the financial websites I use don’t support Yubikey and still rely on SMS for 2FA, I’m not seeing much security benefit at this time.
mptfan
Posts: 6509
Joined: Mon Mar 05, 2007 9:58 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by mptfan »

TxFrog wrote: Wed Mar 17, 2021 10:47 am Does anyone here use a Yubikey as 2FA for their password manager, but not as a 2FA for logging into websites? For example, use a password manager where you need your passphrase + Yubikey to access your password database.
I use FIDO security keys as 2FA (some are Yubikeys and some are made by others) for my password manager and I use it to log in to websites. Admittedly there are only a few accounts that support physical security keys, but I think one of the most important reasons to use them is to lock down your email account, I think it is worth using them for that reason alone because your email is the key to your online kingdom. I use Google as my email provider and my Google account is locked down with the Advanced Protection Program which requires physical security keys as 2FA. I sleep well at night.
Last edited by mptfan on Wed Mar 17, 2021 10:58 am, edited 3 times in total.
Topic Author
rebellovw
Posts: 988
Joined: Tue Aug 16, 2016 4:30 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by rebellovw »

TxFrog wrote: Wed Mar 17, 2021 10:47 am Does anyone here use a Yubikey as 2FA for their password manager, but not as a 2FA for logging into websites? For example, use a password manager where you need your passphrase + Yubikey to access your password database.

I was considering buying a Yubikey. However, if the financial websites I use don’t support Yubikey and still rely on SMS for 2FA, I’m not seeing much security benefit at this time.
I haven't yet - but the idea here is:

Bank - 2FA -> Google Voice -> 2FA -> Yubikey

So by locking down Google Account - it might add some slight security improvements over Bank -> Phone(locked down with pin through provider - and also phone locked down and highly secure on its own.)
User avatar
Blake7
Posts: 317
Joined: Fri Mar 30, 2018 2:52 pm
Location: USA

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by Blake7 »

I use VeraCrypt, but I don’t encrypt whole drives. I prefer to use a volume that I can easily upload to cloud storage. Encrypting an entire drive does give an extra bit of security with regard to data leaks, but it’s not really necessary except for the most sensitive situations, and it comes with more risks of issues (as you’ve experienced).
Last edited by Blake7 on Wed Mar 17, 2021 1:46 pm, edited 1 time in total.
squirm
Posts: 3326
Joined: Sat Mar 19, 2011 11:53 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by squirm »

I think it's important to be reasonable with security otherwise the novelty will wear off. I use lastpass with 2fa with good passwords, use Windows hello and don't do the obvious such as leaving checkbooks and credits card laying around.
User avatar
TxFrog
Posts: 18
Joined: Mon Mar 01, 2021 8:45 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by TxFrog »

mptfan wrote: Wed Mar 17, 2021 10:55 am
TxFrog wrote: Wed Mar 17, 2021 10:47 am Does anyone here use a Yubikey as 2FA for their password manager, but not as a 2FA for logging into websites? For example, use a password manager where you need your passphrase + Yubikey to access your password database.
I use FIDO security keys as 2FA (some are Yubikeys and some are made by others) for my password manager and I use it to log in to websites. Admittedly there are only a few accounts that support physical security keys, but I think one of the most important reasons to use them is to lock down your email account, I think it is worth using them for that reason alone because your email is the key to your online kingdom. I use Google as my email provider and my Google account is locked down with the Advanced Protection Program which requires physical security keys as 2FA. I sleep well at night.
Thanks for the feedback, didn’t consider using Yubikey to lockdown my email. I’m leaning towards password manager + passphrase + Yubikey + long randomly generated passwords.

Hopefully sometime in the near future most banking and financial institutions accept Yubikey/FIDO devices in lieu of SMS 2FA.
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by Lynette »

I came across this YouTube website on how to set up and why to use Yubikeys. It becomes really complicated if one wants to use the same key for many different websites. One can use a Yubico authenticator to manage Yubikeys for different websites:

https://www.youtube.com/watch?v=ybn9J4QCqK4

I think as mentioned above, the most important thing you can do is to lock down your primary email account. Yesterday I created another gmail account for financial matters only but found it confusing to manage both on my Chromebook. I will see if I can use the second gmail on my new Chromebook that arrives tomorrow.

No time for hobbies! Security becomes a full time occupation!
mptfan
Posts: 6509
Joined: Mon Mar 05, 2007 9:58 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by mptfan »

Lynette wrote: Wed Mar 17, 2021 11:59 amIt becomes really complicated if one wants to use the same key for many different websites.
It's not complicated at all, I use the same security keys for more than one site and it's very easy, so easy you don't have to do anything. You can use one security key for multiple sites with no issue.
mptfan
Posts: 6509
Joined: Mon Mar 05, 2007 9:58 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by mptfan »

TxFrog wrote: Wed Mar 17, 2021 11:23 am Thanks for the feedback, didn’t consider using Yubikey to lockdown my email.
Stop and think for a moment about what would happen if someone hacked into your email account and you were locked out. They would probably have access to so much information they could take over your identity, and they could use your email as 2FA to get security codes from many of your accounts, or use it to reset your passwords at your financial accounts and now the hacker has the passwords to your financial accounts and you are locked out. A determined hacker with that kind of access could wreak havoc and good luck sorting that out. So if you really think about it locking down your email should be one of your highest priorities, at least as important as locking down your financial accounts.

Also, I don't know about you, but I use my Google account for more than just email, I use Drive, Photos, Calendar and others, and I would definitely not want that account to be hacked so I lock it down with Google's APP and I sleep well.
Last edited by mptfan on Wed Mar 17, 2021 12:37 pm, edited 3 times in total.
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by JohnFiscal »

rebellovw wrote: Tue Mar 16, 2021 10:23 pm Now I've ordered the Yubikey
big Thumbs Up for Yubi.

I've been using them for several years and never had any problems (except for user error on a few occasions).

I keep a Nano plugged into the external monitor for my laptop and it is so easy to use (versus pesky sms codes).

When I undock the laptop I use any of several other Yubis. Latest is a 5 NFC, so I can use on my Pixel phone as well (except that Vanguard's software is not set up for this use).

I've had to put a big honkin' key ring thing on mine because I was constantly misplacing it in the house.

Another benefit of the Yubi keys is they are tied to a particular url for the log in, so they protect against phishing as well. This was discussed recently in the BH forum and there's a paper on the Yubi website about this.

In sum, the hardware keys are so easy to use, no reason not to.
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by Lynette »

I wiil see how easy it is when I get my Yubikey. I am probably the type of person who reads the manual (or YouTube videos) several times before attempting to us it. :D
Last edited by Lynette on Wed Mar 17, 2021 12:49 pm, edited 1 time in total.
increment
Posts: 578
Joined: Tue May 15, 2018 2:20 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by increment »

occambogle wrote: Wed Mar 17, 2021 9:36 am Well say you have a 2FA authenticator app set up on your phone that doesn't have any kind of backup, if you lose your phone etc you'll be locked out of that website account. Some sites have "recovery codes" you can safely store to use in this situation, but not all sites do.

With Authy you can (a) have it installed on another phone, or laptop, and all your 2FA logins sync between them so if you lose your phone you can just use your other phone or laptop to immediately login. And (b) if you have multi-devices authorised you can log in on your new replacement phone and use the other device to authorize it.
The Wirecutter likes Authy and such features, but notes that "security experts we spoke with recommended against using cloud backups for two-factor authentication tokens."
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by JohnFiscal »

Lynette wrote: Wed Mar 17, 2021 12:40 pm I wiil see how easy it is when I get my Yubikey. I am probably the type of person who reads the manual (or YouTube videos) several times before attempting to us it. :D
It's not so much the the Yubikey needs to be set up itself, all you do is plug it in (*). You have to work on each site that you want to use it for 2FA with your usual log in. The setting up process is done at that site, eg: Vanguard, Fidelity, Facebook, Google, etc. I also use it for some federal government sites, like Global Entry, etc.

For example, at Vanguard you have to go to the Security page and "register" the key. Other sites are similar. Often they prompt you to give the key a name. The name isn't used for anything, just so the user can identify which key will be used (for example, I have 4 keys but actively use only 2).

Once the key is "registered" then you (generally) log in the usual way (username and pw), then a second or so later a message pops up prompting you to "touch" the key (touch the metal part)...only takes a second or less.

Only one time did I have a problem and that was with Vanguard. Their utility to prompt for the hardware key was not running on their site; maybe an hour later it was back. But I've never had a problem with an unrecognized key.

The Yubi site has instructions on how many sites register the keys (https://www.yubico.com/works-with-yubikey/catalog/).

(*) The only problem I've had is that the keys that plug into usual USB ports don't have the "guides" that a typical USB plug has, thus it's possible to insert them upside down...they don't work in this case! This caused me a lot of panic some years back while traveling overseas.
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by Lynette »

If you want to register a second Yubikey, would you need to go through the same process on each website? Then potentially two Yubikeys would work but they would have different codes on them for each site? Maybe that doesn't really matter??
mptfan
Posts: 6509
Joined: Mon Mar 05, 2007 9:58 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by mptfan »

Lynette wrote: Wed Mar 17, 2021 1:43 pm If you want to register a second Yubikey, would you need to go through the same process on each website? Then potentially two Yubikeys would work but they would have different codes on them for each site? Maybe that doesn't really matter??
Yes, you have to register each security key with each account, you can have two or more security keys on one account but you have to register each key. You can use multiple security keys for one account (some accounts have a limit on how many keys you can register) and each registered security key will work. You can also use one security key on multiple accounts...

Q: Can I use my Security Key with multiple Google accounts?

A: Yes, the same FIDO U2F Security Key can be used to secure multiple Google accounts.

Q: How many services can the Security Key be associated with?

A: There is no practical limit to the U2F secured services the Security Key can be associated with. During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the Security Key. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the Security Key.

Q: Can I use the U2F YubiKey I have for Gmail and other Google Accounts with Dropbox?

A: Yes!! The same U2F YubiKey can be used with any number of services and there is no practical limit to the U2F-secured services the FIDO U2F Security Key, Yubikey 4, and Yubikey NEO can be associated with.

During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the YubiKeys. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the U2F-certified YubiKeys.

This means the same U2F-enabled YubiKey you use for Gmail or G Suite can be used with your Facebook, GitHub, and Dropbox accounts.


https://www.yubico.com/authentication-s ... /fido-u2f/
TravelGeek
Posts: 4282
Joined: Sat Oct 25, 2014 3:23 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by TravelGeek »

occambogle wrote: Wed Mar 17, 2021 6:55 am
6U7a9Zfym64CRBB8gY3v wrote: Wed Mar 17, 2021 6:48 am 1Password has built in 2FA/authenticator support. No need to use a second app if you use 1Pass
I'm still using the standalone 6.8 version which doesn't require subscription fees, but also doesn't have 2FA support. Also, I see some small advantage in spreading passwords + 2FA across 2 apps, rather than putting all the eggs in one basket.
Hmm. I use the standalone (non-subscription) version as well. On my Mac I currently have 1Password 6 (6.8.9), and on the sync'ed Android and iOS devices I have the latest versions available. They all support 2FA codes (and sync them). That said, I haven't migrated all my 2FA-enabled accounts to 1Password (some are in Microsoft's and Google's apps). Added to to-do list ;)
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by JohnFiscal »

Lynette wrote: Wed Mar 17, 2021 1:43 pm If you want to register a second Yubikey, would you need to go through the same process on each website?
mptfan gave a great post about this.

I just want to add that it's wise to have two hardware keys registered, if possible, or have alternate method for 2FA, in the event a key is lost, broken, or stolen.

(if stolen then you really need to go to all sites that key was registered at the decommission it).
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by Lynette »

JohnFiscal wrote: Wed Mar 17, 2021 4:42 pm
Lynette wrote: Wed Mar 17, 2021 1:43 pm If you want to register a second Yubikey, would you need to go through the same process on each website?
mptfan gave a great post about this.

I just want to add that it's wise to have two hardware keys registered, if possible, or have alternate method for 2FA, in the event a key is lost, broken, or stolen.

(if stolen then you really need to go to all sites that key was registered at the decommission it).
Thank you very much for the advice. I got the 2 Yubikeys today and they are tiny! I also got the new Chromebook for financial data and to my annoyance, it only had one USB C slot for the power supply. I had a device that inputs from the USB drive on the new computer to the Yubikey 5 C I got from Amazon. I will test it out on my new Chromebook with a new Email account. I don't care if this gets messed up as I have nothing in it yet.

I am also impressed the default mode of Google 2FA that sends a prompt to my phone. It even sends it to a new phone I have on wifi. I don't have a sim for it yet - on the todo list!

Thanks - and good luck!

Lynette
Topic Author
rebellovw
Posts: 988
Joined: Tue Aug 16, 2016 4:30 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by rebellovw »

squirm wrote: Wed Mar 17, 2021 11:04 am I think it's important to be reasonable with security otherwise the novelty will wear off. I use lastpass with 2fa with good passwords, use Windows hello and don't do the obvious such as leaving checkbooks and credits card laying around.
Yeah - it was funny - I changed all my passwords, enabled 2FA everywhere - then went to use a credit card - and was like DOH! They are sitting out in the open! So fixed that right away.

I think of someone breaking into the house and stealing laptop, PC (would be hard as my HAL is gigantic and heavy) and finding checkbooks etc.

So from that perspective - I have my bases covered.

That synology NAS though has been a real pain to deal with.
Topic Author
rebellovw
Posts: 988
Joined: Tue Aug 16, 2016 4:30 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by rebellovw »

Blake7 wrote: Wed Mar 17, 2021 10:58 am I use VeraCrypt, but I don’t encrypt whole drives. I prefer to use a volume that I can easily upload to cloud storage. Encrypting an entire drive does give an extra bit of security with regard to data leaks, but it’s not really necessary except for the most sensitive situations, and it comes with more risks of issues (as you’ve experienced).
Yeah - if my laptops, PCs get stolen - I really want the drives to be useless - not that I really think the thieves would try to learn any of my secrets - I am a kind of big deal after all. :wink:

My work laptop is drive encrypted - and at first I was resistant - but having lived with it for so many years really not a big deal.
Topic Author
rebellovw
Posts: 988
Joined: Tue Aug 16, 2016 4:30 pm

Re: I've gone security bananas - just ordered a Yubikey 5NFC..

Post by rebellovw »

As part of my security mania I've also locked down my email accounts and set email to block all images (mostly marketing network chatter but still worth while) - me opening emails is nobody's business.

I installed temporarily the google chrome extension - 'Trocker' which is enlightening at showing all the marketing chatter done by having images in email. Once the chatter ended - I removed the extension.
Post Reply